PHP :: Bug #69312 :: PHP Segmentation Fault after SOAP request sent

Bug #69312	PHP Segmentation Fault after SOAP request sent
Submitted:	2015-03-27 00:36 UTC	Modified:	2015-03-27 02:44 UTC
From:	os at irj dot ru	Assigned:	laruence (profile)
Status:	Closed	Package:	SOAP related
PHP Version:	5.6.7	OS:	Linux,Debian Squeeze,Debian Sid
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-03-27 00:36 UTC] os at irj dot ru

Description:
------------
After upgrade PHP from 5.6.6 to 5.6.7 PHP Segmentation Fault then Soap Client send request.
Bug present and tested on Debian Squeeze (compiled version 5.6.7), Debian Sid (5.6.7+dfsg-1)

Now, I am rollback PHP to 5.6.6



Test script:
---------------
<?php 
class WsseAuthHeader extends SoapHeader
{

    private $wss_ns = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd';
    private $wsu_ns = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd';

    function __construct($user, $pass)
    {

        $created = gmdate('Y-m-d\TH:i:s\Z');
        $nonce = mt_rand();
        $passdigest = base64_encode( pack('H*', sha1( pack('H*', $nonce) . pack('a*',$created).  pack('a*',$pass))));

        $auth = new stdClass();
        $auth->Username = new SoapVar($user, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns);
        $auth->Password = new SoapVar($pass, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns);
        $auth->Nonce = new SoapVar($passdigest, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns);
        $auth->Created = new SoapVar($created, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wsu_ns);

        $username_token = new stdClass();
        $username_token->UsernameToken = new SoapVar($auth, SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'UsernameToken', $this->wss_ns);

        $security_sv = new SoapVar(
            new SoapVar($username_token, SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'UsernameToken', $this->wss_ns),
            SOAP_ENC_OBJECT, NULL, $this->wss_ns, 'Security', $this->wss_ns);
            parent::__construct($this->wss_ns, 'Security', $security_sv, true);
    }
}

class Segmentation_Fault
{

    protected $wsdl_url = "https://engine.paymentgate.ru/payment/webservices/merchant-ws?wsdl";

    protected $wsdl_params = array(
        "soap_version" => SOAP_1_1,
        "cache_wsdl" => WSDL_CACHE_NONE,
        "trace" => false
    );
    
    public function register() {
    
        try {
            	
            $client = new SoapClient($this->wsdl_url, $this->wsdl_params);
            $client->__setSoapHeaders(array(new WsseAuthHeader("secret_login", "secret_password")));
    
            $wsdl_data = array(
                "merchantOrderNumber" => 1,
                "amount" => 100,
                "currency" => 810,
                "returnUrl" => "http://example.com/invoices/payment/success?invoice_id=1",
                "failUrl" => "http://example.com/invoices/payment/fail?invoice_id=1",
                "description" => "Paymment for",
                "language" => "RU",
                "sessionTimeoutSecs" => 600
            );
            	
            $responce = $client->registerOrder(
                new SoapParam($wsdl_data, "order")
            );
            
            var_dump( $responce );
            	
        } catch (SoapFault $e) {
    
            $this->addError("Ошибка SOAP WSDL: " . $e->getMessage() );
            return false;
        }
        
    }
}

(new Segmentation_Fault())->register();

Expected result:
----------------
Compate SOAP Request

Actual result:
--------------
Segmentation fault

Backtrace:
root@keeper:/var/www/avtovokzal.localhost/httpdocs# php ./test-bug.php 
Ошибка сегментирования (core dumped)
root@keeper:/var/www/avtovokzal.localhost/httpdocs# gdb `which php` /var/log/dumps/core-php.20601 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/php...Reading symbols from /usr/lib/debug/.build-id/a6/f49532c449dcf9782f4bab0ee17e41fead1ec6.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 20601]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php ./test-bug.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  master_to_xml_int (encode=0xe92c00 <defaultEncoding+448>, data=data@entry=0x7fcc7ade3960, style=style@entry=2, parent=parent@entry=0x15c61a0, check_class_map=check_class_map@entry=1)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:464
464	/build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c: Нет такого файла или каталога.
(gdb) bt
#0  master_to_xml_int (encode=0xe92c00 <defaultEncoding+448>, data=data@entry=0x7fcc7ade3960, style=style@entry=2, parent=parent@entry=0x15c61a0, check_class_map=check_class_map@entry=1)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:464
#1  0x0000000000599ddb in master_to_xml (encode=<optimized out>, data=data@entry=0x7fcc7ade3960, style=style@entry=2, parent=parent@entry=0x15c61a0)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#2  0x000000000059d9d4 in to_xml_object (type=0xe936f0 <defaultEncoding+3248>, data=0x7fcc7ade3790, style=2, parent=<optimized out>) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:2068
#3  0x0000000000599576 in master_to_xml_int (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=0x7fcc7ade3790, style=style@entry=2, parent=parent@entry=0x15c6670, 
    check_class_map=check_class_map@entry=1) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:526
#4  0x0000000000599ddb in master_to_xml (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x15c6670)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#5  0x000000000059990c in master_to_xml_int (encode=0xe92c00 <defaultEncoding+448>, data=data@entry=0x7fcc7ade3fc0, style=style@entry=2, parent=parent@entry=0x15c6670, 
    check_class_map=check_class_map@entry=1) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:445
#6  0x0000000000599ddb in master_to_xml (encode=<optimized out>, data=data@entry=0x7fcc7ade3fc0, style=style@entry=2, parent=parent@entry=0x15c6670)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#7  0x000000000059d9d4 in to_xml_object (type=0xe936f0 <defaultEncoding+3248>, data=0x7fcc7ade3dc0, style=2, parent=<optimized out>) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:2068
#8  0x0000000000599576 in master_to_xml_int (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=0x7fcc7ade3dc0, style=style@entry=2, parent=parent@entry=0x153d5e0, 
    check_class_map=check_class_map@entry=1) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:526
#9  0x0000000000599ddb in master_to_xml (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x153d5e0)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#10 0x000000000059990c in master_to_xml_int (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x153d5e0, 
    check_class_map=check_class_map@entry=1) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:445
#11 0x0000000000599ddb in master_to_xml (encode=encode@entry=0xe936f0 <defaultEncoding+3248>, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x153d5e0)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#12 0x000000000059990c in master_to_xml_int (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x153d5e0, check_class_map=check_class_map@entry=1)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:445
#13 0x0000000000599ddb in master_to_xml (encode=encode@entry=0x0, data=<optimized out>, style=style@entry=2, parent=parent@entry=0x153d5e0)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/php_encoding.c:537
#14 0x000000000058de66 in serialize_function_call (this_ptr=<optimized out>, function=<optimized out>, function_name=<optimized out>, uri=<optimized out>, arguments=<optimized out>, 
    arg_count=<optimized out>, version=1, soap_headers=0x7fcc7ade5800) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/soap.c:4376
#15 0x0000000000593f92 in do_soap_call (this_ptr=0x7fcc7addc36b, this_ptr@entry=0x7fcc89930038, function=0xb2b22e "Wrong 'typemap' option", arg_count=11, arg_count@entry=1, 
    real_args=0x736e65 <ZEND_INIT_STATIC_METHOD_CALL_SPEC_CONST_VAR_HANDLER+85>, real_args@entry=0x0, return_value=0x4, return_value@entry=0x7fcc7ade5800, 
    location=0x652fb767fe9 <error: Cannot access memory at address 0x652fb767fe9>, location@entry=0x0, soap_action=0x0, call_uri=0x0, soap_headers=0x7fcc7ade5800, output_headers=0x0, 
    function_len=<optimized out>) at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/soap.c:2718
#16 0x0000000000594779 in zim_SoapClient___call (ht=<optimized out>, return_value=<optimized out>, return_value_ptr=<optimized out>, this_ptr=0x7fcc89930038, return_value_used=<optimized out>)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/ext/soap/soap.c:2942
#17 0x00000000006da3da in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#18 0x00007fcc83052bd6 in xdebug_execute_internal (current_execute_data=0x7ffee4c5cef0, fci=0x7ffee4c5d050, return_value_used=1) at /build/xdebug-BUKKDZ/xdebug-2.2.6/xdebug-2.2.6/xdebug.c:1553
#19 0x00000000006dc249 in zend_call_function (fci=0x7ffee4c5d050, fci_cache=0xb2b22e, fci_cache@entry=0x7ffee4c5d020) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_execute_API.c:849
#20 0x00000000007038a7 in zend_call_method (object_pp=object_pp@entry=0x7ffee4c5d100, obj_ce=<optimized out>, obj_ce@entry=0x13d12a0, fn_proxy=fn_proxy@entry=0x13d13f8, 
    function_name=function_name@entry=0xb2bb40 "__call", function_name_len=function_name_len@entry=6, retval_ptr_ptr=retval_ptr_ptr@entry=0x7ffee4c5d120, param_count=2, arg1=0x7fcc7ade5f18, 
    arg2=0x7fcc7ade5e98) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_interfaces.c:97
#21 0x0000000000713a60 in zend_std_call_user_call (ht=<optimized out>, return_value=0x7fcc7ade5e68, return_value_ptr=0x7fcc898f5378, this_ptr=0x7fcc89930038, return_value_used=<optimized out>)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_object_handlers.c:931
#22 0x00000000006da3da in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_dtrace.c:97
#23 0x00007fcc83052bd6 in xdebug_execute_internal (current_execute_data=0x7fcc898f55d0, fci=0x0, return_value_used=1) at /build/xdebug-BUKKDZ/xdebug-2.2.6/xdebug-2.2.6/xdebug.c:1553
#24 0x00000000007984d0 in zend_do_fcall_common_helper_SPEC (execute_data=0x7fcc898f55d0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:560
#25 0x0000000000728520 in execute_ex (execute_data=0x7fcc898f55d0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
---Type <return> to continue, or q <return> to quit---
#26 0x00000000006da278 in dtrace_execute_ex (execute_data=0x7fcc898f55d0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#27 0x00007fcc8305215c in xdebug_execute_ex (execute_data=0x7fcc898f55d0) at /build/xdebug-BUKKDZ/xdebug-2.2.6/xdebug-2.2.6/xdebug.c:1439
#28 0x00000000007989fe in zend_do_fcall_common_helper_SPEC (execute_data=0x7fcc898f51e0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:592
#29 0x0000000000728520 in execute_ex (execute_data=0x7fcc898f51e0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_vm_execute.h:363
#30 0x00000000006da278 in dtrace_execute_ex (execute_data=0x7fcc898f51e0) at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend_dtrace.c:73
#31 0x00007fcc8305215c in xdebug_execute_ex (execute_data=0x7fcc898f51e0) at /build/xdebug-BUKKDZ/xdebug-2.2.6/xdebug-2.2.6/xdebug.c:1439
#32 0x00000000006eccc0 in zend_execute_scripts (type=2061353835, type@entry=8, retval=0xb2b22e, retval@entry=0x0, file_count=11, file_count@entry=3)
    at /build/php5-tXxPwu/php5-5.6.7+dfsg/Zend/zend.c:1341
#33 0x0000000000688bd0 in php_execute_script (primary_file=0x7ffee4c5fb50) at /build/php5-tXxPwu/php5-5.6.7+dfsg/main/main.c:2597
#34 0x000000000079a470 in do_cli (argc=2061353835, argv=0xb2b22e) at /build/php5-tXxPwu/php5-5.6.7+dfsg/sapi/cli/php_cli.c:994
#35 0x00000000004627cd in main (argc=2061353835, argv=0xb2b22e) at /build/php5-tXxPwu/php5-5.6.7+dfsg/sapi/cli/php_cli.c:1378

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-03-27 02:25 UTC] os at irj dot ru

If I disable opcache extension test script completed without segmentation fault

[2015-03-27 02:44 UTC] laruence@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence

[2015-03-27 02:44 UTC] laruence@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

this should be a dup to #69293

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Feb 13 17:01:29 2025 UTC